Re: [openpgp] New fingerprint: which hash algo

Phillip Hallam-Baker <> Fri, 23 October 2015 18:01 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AE8741A1BA2 for <>; Fri, 23 Oct 2015 11:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MUgzx9jHzEIn for <>; Fri, 23 Oct 2015 11:00:59 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B06E21A1B8E for <>; Fri, 23 Oct 2015 11:00:58 -0700 (PDT)
Received: by lffv3 with SMTP id v3so92108034lff.0 for <>; Fri, 23 Oct 2015 11:00:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=kV57Y2EmbftryWUbzg/XgeHajsm8hnqawy76cloafd4=; b=QOMx3+w99/VptcQgGua/4iDrlUYIFSACAzAZFVMX0uDa1nS6YvcJZy6ty6s4QaQ31q uMCheXWKrdsZbT8ZLz5XYuCujBlYIJ2LfxQYPR+Jj/UrPdgaluJ6PDOXrAtFwxJj6SAe U+x3brsWBGfB0N81lPb1UJfE8Q8o7m/vLwAiFxvGkmdIgREpl3rnPmWdPc+ehYsojUxE nXdS69YN55onbOtiFhEN3onGecwp1WQIovGtfMsZaE97xUwWTj+fmEI6S0Ufr9KCqKz1 3wLb/E8LB6IfprcIoDu76qaaKqPNJb/n35UiJgkBXEYaiIiDDu8hqnSm+7vkgNN65D3/ 04PA==
MIME-Version: 1.0
X-Received: by with SMTP id l80mr8034702lfi.79.1445623256846; Fri, 23 Oct 2015 11:00:56 -0700 (PDT)
Received: by with HTTP; Fri, 23 Oct 2015 11:00:56 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <>
Date: Fri, 23 Oct 2015 14:00:56 -0400
X-Google-Sender-Auth: DUizgwSavkvqG8O0srvPXmwA3LA
Message-ID: <>
From: Phillip Hallam-Baker <>
To: "Daniel A. Nagy" <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Cc: IETF OpenPGP <>
Subject: Re: [openpgp] New fingerprint: which hash algo
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Oct 2015 18:01:00 -0000

On Mon, Oct 12, 2015 at 8:46 AM, Daniel A. Nagy
<> wrote:
> Hello,
> Now that SHA1 is on the brink of being broken, I believe that all
> Merkle–Damgård hashes should be avoided in new designs. Keccak (SHA-3)
> is just better in so many ways.
> Daniel

The consensus among folk who followed the SHA-3 competition more
closely that I did was that they came to understand a lot more about
SHA-2 and were much more confident about it as a result.

The strong consensus is that every application requiring a digest
should require either SHA-2 or SHA-3 and strongly recommend BOTH.

SHA-3 is a newer construction and has been chosen so that it is highly
unlikely that a single attack would defeat both. But it is not
considered 'more secure'. It is different but that only gives you an
advantage if you use both so that you can make use of the diversity.

We stopped using MD5 very quickly. Most people had dropped it before
the attack was widely known. That was possible because SSL 2.0 had
required the use of MD5 and SHA-1 to construct the MAC. So the
transition was painless. It took the platform providers much longer to
support SHA2 and when they did they refused to support any mechanism
that would make it easy to manage the transition.

Due to the way OpenPGP works, it is not possible to have a recommended
algorithm for fingerprints. Every client has to be able to process any
recommended algorithm, so recommended means 'mandatory to accept'. But
there should definitely be two algorithms to choose from.

That is why I use the first octet in UDF to serve as an algorithm
flag. It is precisely so that we can adapt if the need should arise.
We can argue as to whether we need 8 bits or could survive with 5 or
even one. But if you want to do the job properly you need to have an

The other part of UDF is constructed so that it is possible to use the
same support infrastructure for both OpenPGP fingerprints and SSH
fingerprints without any risk of unfortunate interactions.